Firewalling Umbrel

After this commit it’s now nearly impossible to have a restrictive outgoing firewall ruleset for Umbrel. Tor traffic is going out on a plethora of ports and adding them all to my firewall ruleset is like playing a game of wack-a-mole. Is it possible to specify what ports the tor traffic is routed through somehow?

I much prefer the way it used to work where everything was routed through port 9001/9003. I could deny all other outbound traffic from Umbrel.

Why would you do such thing?
Why people love to complicate things when is not really necessary?

1 Like

Security is complicated.

I have other sensitive appliances on my rather extensive home lab network. An important principle in network security is preventing lateral movement. A firewall is one tool in accomplishing that goal.

I reckon most users just run Umbrel
on their flat open home network.

Not being able to specify what network ports are being used by Umbrel is a bit of an issue.

1 Like

Then just put your umbrel node in DMZ (out of your such sensitive lab) and done.
Why so much drama for nothing?
Do you really think that somebody will find out that you run a Tor node, in your location (I doubt is a real case) and will start DDoSing your location?

Too much paranoia for nothing, I think. Even if will start flooding your connection, what they can do/achieve? Nothing?

Putting your Umbrel node in a DMZ is a terrible idea and doesnt really work in a large network with multiple services spread across different VLANs, etc.

All it takes is a single vulnerability in one of the exposed services that can be exploited to gain local access to the machine (or at least the docker container). If you just toss every single service you have at home into a DMZ you’re not really accomplishing anything.

There’s also the other way around to consider. What if one of your other devices in your network gets compromised. You wouldnt want an attacker to be easily able to pivot to your Umbrel system and steal your sats. Most IoT devices for example are a security disaster.

I’m not at all worried about denial of service attacks.

At the end of the day, you do you. It’s your sats. I’ll opt for security and making sure my assets are as safe as possible. Locking up sats in a lightning network node is a lot more risky than keeping my sats in cold storage. The least I can do is implement common sense security measures to ensure my lightning node is as secure as possible.

1 Like

LOL you lost me at that. Please, provide more details about such an “attack”.
People have wrong idea about how sats are “steal”. Just by having a port exposed to the network doesn’t mean automatically anybody can “steal your sats”.

Then why are you running a node at all? They will steal your sats anyway, anything you will do, you are exposed.

If you are so “knowledgeable” in stealing sats, I will give you my nodeid, please steal my sats.

Your Umbrel instance manages your onchain wallet associated with your Lightning Node. Where do you think the private key for that wallet is stored?

I’m obviously not saying anyone can just waltz into my Umbrel instance and steal my funds, but if anyone finds a 0-day in Umbrel or any of the plethora of services exposed by it, they can with relative ease escape the container and steal your onchain wallet private key. They don’t even have to escape the container to use Lightning tools and send sats in your Lightning channels somewhere else.

Or, the other way around, there’s a vulnerability in one of the other services you have running in your network and they exploit that to gain access to your network and potentially your Umbrel node.

It’s not my job to lecture you on computer security. There’s a reason why firewalls exist and why even relatively small business pay big money for both equipment and expertise to ensure their network is as safe as possible. Any software should be presumed to have security flaws that can be exploited by a determined attacker.

1 Like

Is encrypted remember? Be my guest trying to decrypt it, even if you supposedly you enter in possession (I still doubt it you can do that).

Do you know what probability means?
Please indicate me the probability that a my random Tor node would be attacked by a random guy, that don’t even have the certainty that I would have some funds in that onchain wallet (BTW, I use Umbrel only for some bunch of LN channels and never have onchain funds).


1 Like

Even it the key was stored in encrypted form on disk it still needs to decrypted when loaded into memory. Otherwise, how do you think transactions are signed? I’m not sure you know how encryption works. I havent checked recently but when I did review the Umbrel code the onchain wallet private key was stored in cleartext.

Your argument is silly. Just because it’s unlikely your node will get attacked doesnt mean that it’s senseless to configure a firewall to protect your node. It’s an easy measure which provides significant benefits.

Also, nobody is saying you should be storing all your sats on a LN node. However, I still have a decent amount of sats locked up on my node. Enough for me to put in some minimum effort in order to secure it.

If you have local funds on your Umbrel node those are tied to HTLC’s associated with your onchain wallet. If I obtained the key for that onchain wallet I could initiate closures and steal the locked funds. Just saying.

1 Like

Please do it. Show me proofs that what you say is possible.
That “IF” is a a looot of work and non guarantee that will be a sucess.
I think you saw too many “hacker” movies.

I think you’re seriously underestimating a) what’s possible and b) how much effort people are willing to put in when there’s money of the table.

Not sure what kind of proof you need. Various crypto exchanges get hacked frequently. And outside the crypto world there are countless of examples. Look at talks from Blackhat or Defcon for some. Alternatively, here is a good read if you’re interested.

1 Like

LOL this should be included in the famous :slight_smile:
You are totally wrong. Those weren’t hacks in any way. Were just inside jobs, disguised in “hacks” just to scare and fool noobs. Those “hacks”, NONE of them were real hacks of BTC private keys, were damn leaks of admin accounts with access to private keys. Is a big fucking difference.

As I said: please provide any proof in the whole Bitcoin history that a node wallet private keys, were compromised, hacked, accessed or whatever .
Don’t you think we were hearing about that until now, if it was true or easy to do it? In the whole 13 years of history I heard NONE.

You’re being deliberately obtuse.

I can steal your private key stored in cleartext from your Umbrel server then the security of the Bitcoin blockchain doesnt matter. I also never claimed private keys were hacked. Vulnerabilities are discovered in various applications all the time. If you want to bet your money on Umbrel being free of bugs then by all means. There is no such thing as 100% secure software hence why compensating measures are relevant. Arguing otherwise is weird. Why do you think multisig is a thing?

How about I keep firewalling my Umbrel instance and you don’t and then we go our separate ways. You have seemingly very little understanding of security and even less interest in learning.

1 Like

You are again wrong. I have 25+ years in IT and I know enough about computer security.
And is not about Umbrel in particular. I asked you about a proof that in all these 13 years of Bittcoin somebody was able to steal sats from an obtained private key file (let’s assume was not even protected by an Umbrel software), just a stupid PC with a bitcoin wallet node and exposed totally on internet, not even running behind a Tor.

But instead you keep bashing about not having enough security. We are talking about real cases not mumbo jumbo.

Ofc it makes sense to try and improve security by blocking unnecessary traffic. If you’re targeted by an attacker they’ll probably find those open ports that they can use anyway, but it’s not totally useless firewalling traffic and it may prevent automated large scale attacks. It’s common for the exploit to connect to the outside world to load the full payload of the exploit or to hook up with the command and control center.

Even SSH has had remote exploits where you could login as root on any linux server, so why should that port be open to the internet (as an example) if you don’t need it.
There’s an ever growing amount of BTC treasury to be claimed by anyone that finds remote exploits on the LN related services and projects, trying to minimize the attack surface when you have a reasonable amount of BTC locked up in your node’s hot wallet makes sense. If you got root on a running node, it doesn’t matter if the stored file on disk is encrypted.

Why reply to only boast about 25+ years of IT knowledge instead of trying to help :smiley:


Please provide your firewall logs where it shows how your Umbrel node is massively attacked that cannot handle anymore the traffic and you sats are stolen.

First of all, Umbrel run behind Tor, so no clearnet ports exposed.
Secondly, the ports are used, are secured, so without local access and password it is impossible to enter remote into your Umbrel machine.
Third: SSH is not even activated for external access in Umbrel, only from local IP.
Fifth: if you run Umbrel in a standard linux machine, you already tinker your own ufw and set exactly and only what you need to be visible outside.

Please provide the way to get in into a Umbrel Tor node, otherwise is just mumbo jumbo.

DoS and finding remote exploits are different things.

Unless your onion address get leaked by mistake. Or one of your devices in your network got infected by some automated worm looking for Umbrel instances. Or if someone hacked this forum and checks the remote IP of all users, then scans those networks and continue from there.

I just gave an example of the SSH daemon itself being vulnerable in the past, no username and password was required. There may be other vulnerabilities in the future for any of the services running on the node.

It was an example. But a hacker could for example bounce on some other device in your network, like from your desktop machine with a vulnerable browser. Or you connect your node directly to the public internet by mistake.

“Tinkering with ufw” is the problem here since Umbrel no longer uses standardized ports for tor traffic, making it next to impossible to define allow rules for traffic that should be allowed out, hence the reason for this post to begin with.

Just because there are no publicly known vulnerabilities in Umbrel being exploited does not mean that you shouldn’t take measures to protect your node. Your reasoning makes no sense. But please feel free to give my your clear text private key since youre convinced there’s no risk associated with doing so.

I don’t think debating the necessity of a firewall is fruitful.

You are just making unnecessary noise without any base in your assumptions.

Clearly you’ve been 25+ years in IT, your human skill set show it. Tone down will you … and BTW … I never received a normal answer why I can’t disable remote Tor access to my Umbrell node anymore and in the meantime … you kept pretending you didn’t understand my question.

1 Like